Category: cybersecurity

Cybersecurity: Yes, They Will Hack Your Car

Auto Traffic, NightimeAuto manufacturers are increasingly equipping vehicles with rapidly advancing technologies, raising concerns regarding how the public will be affected by these changes. Manufacturers are beginning to implement automated driving and vehicle-to-vehicle (V2V) communication capabilities into their cars, extending potential cybersecurity threats and associated safety issues to road users.

As consumers, we already see cybersecurity threats and breaches in many areas of our day-to-day lives. With the spike of auto-driven and connected cars across the auto industry, these same threats and breaches have a strong potential to sprout in our lives on the road as well.

NHTSA has outlined the factors it will consider in evaluating cybersecurity threats as potential safety-related defects. They are as follows:

  • The amount of time elapsed since the vulnerability was discovered (e.g., less than one day, three months, or more than six months)

  • The level of expertise needed to exploit the vulnerability (e.g., whether a layman can exploit the vulnerability or whether it takes an expert to do so)

  • The accessibility of knowledge of the underlying system (e.g., whether how the system works is public knowledge or whether it is sensitive and restricted)

  • The necessary window of opportunity to exploit the vulnerability (e.g., an unlimited window or a very narrow window)

  • The level of equipment needed to exploit the vulnerability (e.g., standard or highly specialized)

Additionally, NHTSA’s guidance suggests policies that manufacturers :

  • Participating in the Automotive Information Sharing and Analysis Center (Auto-ISAC), which became fully operational in January 2016

  • Developing policies around reporting and disclosure of vulnerabilities to external cybersecurity researchers

  • Instituting a documented process for responding to incidents, vulnerabilities, and exploits and running exercises to test the effectiveness of these processes

  • Developing a documentation process that will allow self-auditing, which may include risk assessments, penetration test results, and organizational decisions

  • For original equipment, developing processes to ensure vulnerabilities and incidents are shared with appropriate entities throughout the supply chain

  • As vehicle technologies continue to progress, we expect that NHTSA’s guidance will evolve to address future concerns

To continue reading through NHTSA’s enforcement plans on motor vehicle safety as it pertains to recent technological advances, be sure to check out Thursday’s post on automated vehicle regulations.

ARTICLE BY Christopher H. Grigorian & R. Nicholas Englund of Foley & Lardner LLP

© 2017 Foley & Lardner LLP

Data Breaches Will Cost Yahoo and Verizon Long After Sale

data breach Yahoo VerizonFive Things You (and Your M&A Diligence Team) Should Know

Recently it was announced that Verizon would pay $350 million less than it had been prepared to pay previously for Yahoo as a result of data breaches that affected over 1.5 billion users, pending Yahoo shareholder approval. Verizon Chief Executive Lowell McAdam led the negotiations for the price reduction. Yahoo took two years, until September of 2016, to disclose a 2014 data breach that Yahoo has said affected at least 500 million users, while Verizon Communications was in the process of acquiring Yahoo. In December of 2016, Yahoo further disclosed that it had recently discovered a breach of around 1 billion Yahoo user accounts that likely took place in 2013.

While some may be thinking that the $350 million price reduction has effectively settled the matter, unfortunately, this is far from the case. These data breaches will likely continue to cost both Verizon and Yahoo for years to come.  Merger and acquisition events that are complicated by pre-existing data breaches will likely face at least four categories of on-going liabilities.  The cost of each of these events will be difficult to estimate during the deal process, even if the breach event is disclosed during initial diligence. First, the breach event will probably render integration of the systems of the target and acquirer difficult, as the full extent of the security issues is often difficult to assess and may evolve through time. According to Verizon executives, Yahoo’s data breaches created integration issues that had not been previously understood.  The eventual monetary cost of this issue remains unknown.

Second, where the target is subject to the authority of the Security and Exchange Commission (SEC), an SEC investigation and penalties if applicable, is likely, along with related shareholder lawsuits. As we wrote previously, The SEC is currently investigating if Yahoo should have reported the two massive data breaches it experienced earlier to investors, according to individuals with knowledge. Under the current agreement, Yahoo will bear sole liability for shareholder lawsuits and any penalties that result from the SEC investigation.

Third, there will likely be additional private party actions due to the breach. Exactly what these liabilities will be will depend on the data subject to exfiltration as a result of the breach.  In Yahoo’s case, Verizon and Yahoo have agreed to equally share in costs and liabilities created by lawsuits from customers and partners.  Multiple private party lawsuits have already been filed against Yahoo alleging negligence.

Fourth, other government investigations, such as by the Federal Bureau of Investigation (FBI), could result in additional costs, both monetary and reputational. The FBI is currently investing the Yahoo breaches.  Verizon and Yahoo will share the costs of the FBI investigation and other potential third party investigations.

Fifth, depending on the scope of the breach, there would likely be on-going remediation costs after the deal closes. According to a knowledgeable source, as of February 2017, Yahoo had sent notifications to a “mostly final” list of users, indicating that some remaining remediation activities may yet occur.

As we have seen, merger and acquisition events involving a target with a pre-existing data breach issues create difficult to assess costs and liabilities that will survive the closing of the transaction.

ARTICLE BY Cynthia J. Larose & Brian H. Lam of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

©1994-2017 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

In re: Target Corporation Customer Data Security Breach Litigation — instructive 8th Circuit case re class certification

target security breachJim Sciaroni  v.  Target Corporation Civil case – Class Action in Target Security Breach. The district court’s statement in the class certification order regarding Rule 23(a)(4)’s representation adequacy requirement are conclusions, not reasons, and on their own do not constitute the “rigorous analysis” of whether certification was proper in this case; the court has a continuous duty to reevaluate certification throughout the litigation and the court’s order rejecting an allegation of intraclass conflict made before final certification improperly refused to reconsider the issue solely because it had already certified the class; as a result the district court abused its discretion by failing to rigorously analyze the propriety of certification, especially once new arguments regarding the adequacy of representation were raised after preliminary certification, and the matter is remanded to the district court for it to conduct and articulate a rigorous analysis of Rule 23(a)’s certification prerequisites as applied to this case; “costs on appeal” for Rule 7 purposes include only those costs that a prevailing appellate litigant can recover under a specific rule or statute; as a result the bond set in this matter, which included delay-based administrative costs, is reversed and the matter remanded with directions to reduce the Rule 7 bond to reflect only those costs appellee will recover should they succeed in any issues remaining on appeal following the district court’s reconsideration of class certification. The panel retains jurisdiction over any remaining issues following the district court’s disposition on remand. The district court shall certify its findings and conclusions to this court within 120 days.

02/01/2017  Jim Sciaroni  v.  Target Corporation

   U.S. Court of Appeals Case No:  15-3909 and No:  15-3912 and No:  16-1203 and No:  16-1245 and No:  16-1408

   U.S. District Court for the District of Minnesota – Minneapolis

   [PUBLISHED] [Shepherd, Author, with Benton, Circuit Judge, and Strand, District Judge]

Download In re Target Corporation Customer Data Security Breach Litigation

ARTICLE BY Laura A. Bentele of Armstrong Teasdale

© Copyright 2017 Armstrong Teasdale LLP. All rights reserved

The Department Of Homeland Security Proposes New Rules Affecting Federal Government Contractors

This week, the Department of Homeland Security (“DHS”) issued three proposed rules expanding data security and privacy requirements for contractors and subcontractors. The proposed rules build upon other recent efforts by various federal agencies to strengthen safeguarding requirements for sensitive government information.  Given the increasing emphasis on data security and privacy, contractors and subcontractors are well advised to familiarize themselves with these new requirements and undertake a careful review of their current data security and privacy procedures to ensure they comply.

  • Privacy Training

DHS contracts currently require contractor and subcontractor employees to complete privacy training before accessing a Government system of records; handling Personally Identifiable Information and/or Sensitive Personally Identifiable Information; or designing, developing, maintaining, or operating a Government system of records. DHS proposes including this training requirement in the Homeland Security Acquisition Regulation (“HSAR”) and to make the training more easily accessible by hosting it on a public website.  By including the rule in the HSAR, DHS would standardize the obligation across all DHS contracts.  The new rule would require the training to be completed within thirty days of the award of a contract and on an annual basis thereafter.

DHS invites comment on the proposed rule. In particular, DHS asks commenters to offer their views on the burden, if any associated with the requirement to complete DHS-developed privacy training.  DHS also asks whether the industry should be given the flexibility to develop its own privacy training.  Comments must be submitted on or before March 20, 2017.

  • Information Technology Security Awareness Training

DHS currently requires contractor and subcontractor employees to complete information technology security awareness training before accessing DHS information systems and information resources. DHS proposes to amend the HSAR to require IT security awareness training for all contractor and subcontractor employees who will access (1) DHS information systems and information resources or (2) contractor owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting controlled unclassified information (“CUI”) (defined below).  DHS will require employees to undergo training and to sign DHS’s Rules of Behavior (“RoB”) before they are granted access to those systems and resources.  DHS also proposes to make this training and the RoB more easily accessible by hosting them on a public website.  Thereafter, annual training will be required.  In addition, contractors will be required to submit training certification and signed copies of the RoB to the contracting officer and maintain copies in their own records.

Through this proposed rule, DHS intends to require contractors to identify employees who will require access, to ensure that those employees complete training before they are granted access and annually thereafter, to provide to the government and maintain evidence that training has been conducted. Comments on the proposed rule are due on or before March 20, 2017.

  • Safeguarding of Controlled Unclassified Information

DHS’s third proposed rule will implement new security and privacy measures, including handling and incident reporting requirements, in order to better safeguard CUI. According to DHS, “[r]ecent high-profile breaches of Federal information further demonstrate the need to ensure that information security protections are clearly, effectively, and consistently addressed in contracts.”  Accordingly, the proposed rule – which addresses specific safeguarding requirements outlined in an Office of Management and Budget document outlining policy on managing government data – is intended to “strengthen[] and expand[]” upon existing HSAR language.

DHS’s proposed rule broadly defines “CUI” as “any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls[,]” including any “such information which, if lost, misused, disclosed, or, without authorization is accessed, or modified, could adversely affect the national or homeland security interest, the conduct of Federal programs, or the privacy of individuals.” The new safeguarding requirements, which apply to both contractors and subcontractors, include mandatory contract clauses; collection, processing, storage, and transmittal guidelines (which incorporate by reference any existing DHS policies and procedures); incident reporting timelines; and inspection provisions. Comments on the proposed rule are due on or before March 20, 2017.

  • Other Recent Efforts To Safeguard Contract Information

DHS’s new rules follow a number of other recent efforts by the federal government to better control CUI and other sensitive government information.

Last fall, for example, the National Archives and Record Administration (“NARA”) issued a final rule standardizing marking and handling requirements for CUI. The final rule, which went into effect on November 14, 2016, clarifies and standardizes the treatment of CUI across the federal government.

NARA’s final rule defines “CUI” as an intermediate level of protected information between classified information and uncontrolled information.  As defined, it includes such broad categories of information as proprietary information, export-controlled information, and certain information relating to legal proceedings.  The final rule also makes an important distinction between two types of systems that process, store or transmit CUI:  (1) information systems “used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency”; and (2) other systems that are not operated on behalf of an agency but that otherwise store, transmit, or process CUI.

Although the final rule directly applies only to federal agencies, it directs agencies to include CUI protection requirements in all federal agreements (including contracts, grants and licenses) that may involve such information.  As a result, its requirements indirectly extend to government contractors.  At the same time, however, it is likely that some government contractor systems will fall into the second category of systems and will not have to abide by the final rule’s restrictions.  A pending FAR case and anticipated forthcoming FAR regulation will further implement this directive for federal contractors.

Similarly, last year the Department of Defense (“DOD”), General Services Administration, and the National Aeronautics and Space Administration issued a new subpart and contract clause (52.204-21) to the FAR “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.”  The provision adds a number of new information security controls with which contractors must comply.

DOD’s final rule imposes a set of fifteen “basic” security controls for covered “contractor information systems” upon which “Federal contract information” transits or resides.  The new controls include: (1) limiting access to the information to authorized users; (2) limiting information system access to the types of transactions and functions that authorized users are permitted to execute; (3) verifying controls on connections to external information systems; (4) imposing controls on information that is posted or processed on publicly accessible information systems; (5) identifying information system users and processes acting on behalf of users or devices; (6) authenticating or verifying the identities of users, processes, and devices before allowing access to an information system; (7) sanitizing or destroying information system media containing Federal contract information before disposal, release, or reuse; (8) limiting physical access to information systems, equipment, and operating environments to authorized individuals; (9) escorting visitors and monitoring visitor activity, maintaining audit logs of physical access, and controlling and managing physical access devices; (10) monitoring, controlling, and protecting organizational communications at external boundaries and key internal boundaries of information systems; (11) implementing sub networks for publically accessible system components that are physically or logically separated from internal networks; (12) identifying, reporting, and correcting information and information system flaws in a timely manner; (13) providing protection from malicious code at appropriate locations within organizational information systems; (14) updating malicious code protection mechanisms when new releases are available; and (15) performing periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

“Federal contract information” is broadly defined to include any information provided by or generated for the federal government under a government contract.  It does not, however, include either:  (1) information provided by the Government to the public, such as on a website; or (2) simple transactional information, such as that needed to process payments.  A “covered contractor information system” is defined as one that is:  (1) owned or operated by a contractor; and (2) “possesses, stores, or transmits” Federal contract information.

ARTICLE BY Connie N BertramAmy Blackwood & Emilie Adams of Proskauer Rose LLP

© 2017 Proskauer Rose LLP.

Cyber-Attacks: A Problem In 2016, Still A Problem in 2017

cyber-attacks hacktivismA survey of nearly 600 organisations across a variety of industries globally has revealed 98% of these organisations experienced some form of cyber-attack in 2016. (We are left wondering if the other 2% just didn’t notice?)

The survey, conducted by cyber-security company Radware, also found that many organisations are still not prepared to face the threat landscape including that 40% of organisations do not have an incident response plan in place.

Respondents indicated that ransom was the top motivation behind cyber-attacks (41%), followed by insider threats (27%), political hacktivism (26%) and competition (26%).

Radware’s Vice President of Security Solutions, Carl Herberger, says that money is the top motivator in today’s threat landscape. He says “attackers employ an ever-increasing number of tactics to steal valuable information, from ransom attacks that can lock up a company’s data, to DDoS attacks that act as a smoke screen for information theft, to direct brute force or injection attacks that grant direct access to internal data”.

Radware predicts that in 2017, we will see an increase in the use of IoT botnets, cyber ransom, telephony DoS, permanent denial of service for data centre and IoT operations, and public transport being held hostage.

Not the most positive outlook for 2017, but it would be a brave person to suggest they are wrong with those predictions.

ARTICLE BY Cameron Abbott & Allison Wallace of K&L Gates
Copyright 2017 K & L Gates

The White House’s Revisions to its Breach Response Policy For Federal Agencies and Departments Also Affect Contractors

White House data breach responseOn January 3, 2017, the Obama Administration issued a memorandum to all executive departments and agencies setting for a comprehensive policy for handling breaches of personally identifiable information (the “Memorandum”), replacing earlier guidance. Importantly, the Memorandum also affects federal agency contractors as well as grant recipients.

The Memorandum is not the first set of guidance to federal agencies and departments for reporting breaches of personally identifiable information (PII), but it establishes minimum standards going forward (agencies have to comply within 180 days from the date of the Memorandum). The Memorandum makes clear that it is not setting policy on information security, or protecting against malicious cyber activities and similar activities; topics related to the recent fiery debates concerning the 2016 election results and Russian influence.

The Memorandum sets out a detailed breach response policy covering topics such as preparedness, establishing a response plan, assessing incident risk, mitigation, and notification. For organizations that have not created a comprehensive breach response plan, the Memorandum could be a helpful resource, even for those not subject to it. But it should not be the only resource.

Below are some observations and distinctions worth noting.

  • PII definition. Unlike most state breach notification laws, the Memorandum defines PII broadly: information that can be used to distinguish to trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. So, for example, the notification obligation for a federal contractor will not just apply if Social Security numbers or credit card numbers have been compromised.
  • Breach definition. Breaches are not limited phishing attacks, hackings or similar intrusions. They include lost physical documents, sending an email to the wrong person, or inadvertently posting PII on a public website.
  • Training. Breach response training must be provided to individuals before they have access to federal PII. That training should advise the individuals not to wait for confirmation of a breach before reporting to the agency. A belief (or hope) that one will find that lost mobile device should not delay reporting.
  • Required provisions in federal contracts. Federal contractors that collect or maintain federal PII or use or operate an information system for a federal agency must be subject to certain requirements by contract. The Memorandum requires agencies to update their contracts with contractors to ensure the contracts contain certain provisions, such as requiring contractors to (i) encrypt PII in accordance with OMB Circular A-130, (ii) train employees, (iii) report suspected or confirmed breaches; (iv) be able to determine what PII was or could have been accessed and by whom, and identify initial attack vectors, and (v) allow for inspection and forensic analysis. Because agencies must ensure these provisions are uniform and consistent in all contracts, negotiation will be difficult. The Federal Acquisition Regulatory Council is directed to work the Office of Management and Budget to promptly develop appropriate contract clauses and regulatory coverage to address these requirements.
  • Risk of harm analysis. Agencies will need to go through a complex risk of harm analysis to determine the appropriate breach response. Notably, encryption of PII is not an automatic exception to notification.
  • Notification. The rules for timing and content of breach notification are similar to those in many of the state breach notification laws. The Memorandum also advises agencies to anticipate undeliverable mail and to have procedures for secondary notification, something not clearly expressed in most state notification laws. The Memorandum also suggests website FAQs, which can be more easily updated and tailored. Agency heads have ultimate responsibility for deciding whether notify. They can consider over-notification and should try to provide a single notice to cover multiple notification requirements. They also can require contractors to provide notification following contractor breaches.
  • Tabletop Exercises. The Memorandum makes clear that testing breach response plans is essential and expressly requires that tabletop exercises be conducted at least annually.

Federal contractors and federal grant recipients that have access to federal PII will need to revisit (or develop) their own breach response plans to ensure they comply with the Memorandum, as well as the requirements of the applicable federal agency or department which can be more stringent. Of course, those plans must also incorporate other breach response obligations the organizations may have, whether those obligations flow from other federal laws (e.g., HIPAA), state laws, or contracts with other entities. Putting aside presidential politics, cybersecurity threats are growing and increased regulation, enforcement and litigation exposure is likely.

ARTICLE BY Joseph J. Lazzarotti of Jackson Lewis P.C.

Jackson Lewis P.C. © 2017

Swiss-US Privacy Shield Will Replace Swiss-US Data Protection Safe Harbor

Swiss Privacy ShieldOn January 11, 2017, the Swiss Federal Council announced that a new framework will govern the transfer of personal data from Switzerland to the US.  According to the Federal Council, the Swiss-US Privacy Shield Framework “will apply the same conditions as the European Union.”  The International Trade Administration stated that the US Department of Commerce will begin accepting certifications on April 12.  Certification will allow companies to comply with Swiss data protection requirements, facilitating transatlantic commerce.

  • The Federal Council made note of several changes from the Swiss-US Safe Harbor to the Swiss-US Privacy Shield, including:

  • “Stricter application of data protection principles by participant companies”

  • Heightened administration and supervision requirements by US authorities

  • Enhanced cooperation between the Swiss Federal Data Protection and Information Commissioner and the US Department of Commerce

  • A new arbitration body to handle claims

  • Introduction of an ombudsperson in the US Department of State, who will address Swiss persons’ concerns about the processing of their personal data by US intelligence services

Because the Swiss-US Privacy Shield aligns with the EU-US Privacy Shield, the self-certification process should not be overly burdensome.

However, in light of this change, it is important to reassess current business practices to determine whether a company is participating in the transfer of personal data from Switzerland to the US.  If so, companies should remove any references to the Safe Harbor, and should be ready to apply for self-certification.  Further, companies should prepare for changes to internal policies to comply with the new requirements under the Swiss-US Privacy Shield.

ARTICLE BY Theodore F. Claypoole & Taylor Ey of Womble Carlyle Sandridge & Rice, PLLC

Copyright © 2017 Womble Carlyle Sandridge & Rice, PLLC. All Rights Reserved.

Law Firm Data Breaches: Big Law, Big Data, Big Problem

law firm data breachesThe Year of the Breach

2016 was the year that law firm data breaches landed and stayed squarely in both the national and international headlines. There have been numerous law firm data breaches involving incidents ranging from lost or stolen laptops and other portable media to deep intrusions exposing everything in the law firm’s network. In March, the FBI issued a warning that a cybercrime insider-trading scheme was targeting international law firms to gain non-public information to be used for financial gain. In April, perhaps the largest volume data breach of all time involved law firm Mossack Fonesca in Panama. Millions of documents and terabytes of leaked data aired the (dirty) laundry of dozens of companies, celebrities and global leaders. Finally, Chicago law firm, Johnson & Bell Ltd., was in the news in December when a proposed class action accusing them of failing to protect client data was unsealed.

A Duty to Safeguard

Law firms are warehouses of client information and how that information is protected is being increasingly regulated and scrutinized. The legal ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to client. (ABA Model Rules 1.1, 1.6 and Comments). Attorneys also have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information, financial and health, for example.

American Bar Association’s 2016 TechReport

Annually, the ABA conducts a Legal Technology Survey (Survey) to gauge the state of our industry vis-à-vis technology and data security. The Survey revealed that the largest firms (500 or more attorneys) reported experiencing the most security breaches, with 26% of respondents admitting they had experienced some type of breach. This is a generally upward trend from past years and analysts expect this number only to rise. This is likely because larger firms have more people, more technology and more data so there is a greater exposure surface and many more risk touch-points.

Consequences of Breach

The most serious consequence of a law firm security breach is loss or unauthorized access to sensitive client data. However, the Survey shows there was a low incidence of this, only about 2% of breaches overall resulted in loss of client data. Other concerning consequences of the breaches are significant though. 37% reported business downtime/loss of billable hours, 28% reported hefty fees for correction including consulting fees, 22% reported costs associated with having to replace hardware/software, and 14% reported loss of important files and information.

Employing & Increasing Safeguards Commonly Used in other Industries

The 2016 Survey shows that while many law firms are employing some safeguards and generally increasing and diversifying their use of those safeguards, our industry may not be using common security measures that other industries employ.

1. Programs and Policies. The first step of any organization in protecting its data is establishing a comprehensive data security program. Security programs should include measures to prevent breaches (like policies that regulate the use of technology) and measures to identify, protect, detect, respond to and recover from data breaches and security incidents. Any program should designate an individual, like a full-time privacy officer or information security director, who is responsible for coordinating security. However, the numbers show that the legal industry may not be up to speed on this basic need. Survey respondents reported their firms had the following documented policies:

Document or records management and retention policy: 56%

Email use policy: 49%

Internet use/computer use policy: 41%

Social media use: 34%

2. Assessments. Using security assessments conducted by independent third parties has been a growing security practice for other industries; however, law firms have been slow to adopt this security tool, with only 18% of law firms overall reporting that they had a full assessment.

3. Standards/Frameworks. Other industries use security standards and frameworks, like those published by the International Organization for Standardization (ISO) to provide approaches to information security programs or to seek formal security certification from one of these bodies. Overall, only 5% of law firms reported that they have received such a certification.

4. Encryption. Security professionals view encryption as a basic safeguard that should be widely deployed and it is increasingly being required by law for any personal information; however only 38% of overall respondents reported use of file encryption and only 15% use drive encryption. Email encryption has become inexpensive for businesses and easier to use with commercial email services yet overall only 26% of respondents reported using email encryption with confidential/privileged communications or documents sent to clients.

5. Cybersecurity Insurance. Many general liability and malpractice polices do not cover security incidents or data breaches, thus there is an increasing need for business to supplement their coverage with cybersecurity insurance. Unfortunately, only 17% of attorneys reported that they have cyber coverage.

Conclusion

It is important to note that the figures revealed by the 2016 Survey, while dismaying, may also be extremely conservative as law firms have a vested interest in keeping a breach of their client’s data as quiet as possible. There is also the very real possibility that many firms don’t yet know that they have been breached. The 2016 Survey demonstrates that there is still a lot of room for improvement in the privacy and data security space for law firms. As law firms continue to make the news for these types of incidents it is likely that improvement will come sooner rather than later.

ARTICLE BY Kathryn T. Allen of Polsinelli PC
© Polsinelli PC, Polsinelli LLP in California

2016 Cybersecurity Year in Review, and Data Privacy Trends to Watch in 2017

cybersecurity data privacyWith 2016 in the rear-view mirror, we have been reflecting on the many data privacy and cybersecurity legal developments of the past year, both in the U.S. and internationally, as well as focusing on trends to watch in the new year. With best wishes for a Happy New Year from all of us, we present a number of highlights from 2016, and suggest a few areas to watch in 2017.

U.S. Courts Wrestle With Law Enforcement Access to Data

Debate over law enforcement access to data stored by technology companies was perhaps the most visible privacy and cybersecurity issue of 2016, with far-reaching implications in both the U.S. and abroad. In July, the Second Circuit issued a decision in Microsoft’s challenge to a warrant issued under the Electronic Communications Privacy Act (ECPA), seeking email content stored in Ireland. The Second Circuit unanimously held that ECPA warrants cannot compel U.S. providers to disclose the contents of customer communications stored on foreign servers. In 2017, we expect that decision to have significant implications for U.S. technology companies, as well as consumers and companies that store data with U.S.-based providers. The government has sought rehearing en banc, and also has indicated that it intends to submit legislation to Congress to address the implications of the decision.  Congress has considered related issues in the International Communications Privacy Act.

Apple also engaged in a high-profile court battle with the government early in 2016 when the company refused the FBI’s request to unlock a terror suspect’s iPhone, though the dispute ended in March without a court decision when the FBI announced it had accessed the device without Apple’s assistance.  Congress continues to grapple with the consequences of that case to include considering several encryption-related legislative proposals.

U.S. Supreme Court Addresses Privacy Standing in Spokeo

The U.S. Supreme Court issued its highly anticipated decision in Spokeo in May, addressing whether plaintiffs have standing to pursue statutory damages even in the absence of harm under the Fair Credit Reporting Act (FCRA). The Court reaffirmed that constitutional standing in federal court requires “concrete” (i.e., actual) harm and offered several guiding principles to assist lower courts in determining whether standing requirements have been met.  Although the case specifically dealt with the FCRA, Spokeo has significant implications in privacy and data breach litigation because numerous federal privacy laws have been construed to allow statutory damages even in the absence of actual harm.  Lower courts have begun applying the decision in data breach cases, including a recent district court ruling that a named plaintiff’s allegations that stolen personal information was used to file a false tax return were sufficient to impart standing under Spokeo.  In 2017, we expect this process to continue, as lower courts continue to interpret the Supreme Court’s decision.

A New Framework for EU-U.S. Data Transfers

The EU-U.S. Privacy Shield, a new framework for the transfer of personal data between the EU and the U.S., was announced in February and finalized in July.  Negotiators in the EU and U.S. worked on an accelerated timeline following the invalidation of the Safe Harbor in late 2015 resulting in the Privacy Shield—a significantly more stringent framework than its predecessor.  Companies began self-certifying adherence to the Privacy Shield in August, and as of this post more than 1,300 companies have signed up at the Department of Commerce’s website.  In 2017, we see continued uncertainty in this area.  The Privacy Shield faces a legal challenge in the European Court of Justice, and another cross-border mechanism—standard contractual clauses—also is subject to an EU court action.  The Privacy Shield itself was based, in part, on an exchange of letters between the Obama Administration and the European Commission relating to mass surveillance, and it remains to be seen if the Trump Administration will continue the commitments made in those letters.  Relatedly, the European Parliament approved the EU-U.S. Umbrella Agreement in December—a framework for the exchange of personal data for law-enforcement (including anti-terrorism) purposes between the EU and U.S.

Sweeping New Data Protection Laws Approved in Europe

The European Parliament passed into law the General Data Protection Regulation (GDPR) in April, a sweeping new set of privacy and data security rules that will take effect in mid-2018.  Unlike the EU Data Protection Directive which it replaces, the GDPR for the most part will have direct effect throughout the EU without requiring national implementation legislation.  Companies doing business in (or with companies operating in) the EU have begun preparing for compliance with the new requirements, and the Article 29 Working Party released the first set of guidance on the GDPR in December.  In 2017, we expect the Article 29 Working Party to continue to fill in some of the blanks left in the GDPR, and we also expect companies to intensify their preparation for the mid-2018 effective date of this landmark legislation.

FTC’s Data Security Authority Tested (Again) in LabMD

 Following the Third Circuit’s decision affirming the FTC’s authority to regulate corporate data security in Wyndham last year, the FTC sought to further bolster its data security authority in LabMD.  In July, the Commission unanimously vacated a prior Administrative Law Judge decision and found that LabMD’s actions were “unfair” under Section 5 of the FTC Act.  In November, however, the Eleventh Circuit stayed enforcement of the FTC’s LabMD order, finding that LabMD was likely to succeed on the merits because the FTC’s interpretations of aspects of the FTC Act relating to its data security authority were likely not reasonable. The case will now proceed on the merits, but the grant of the stay suggests that the Eleventh Circuit may be receptive to LabMD’s arguments for ultimate reversal of the LabMD order.  This could produce a circuit split between the Eleventh Circuit and the Third Circuit (which decided the Wyndham case), and thereby provide a basis for an attempt to secure Supreme Court review of the FTC’s jurisdiction.  Moreover, this case could provide a vehicle for a new FTC, with a Republican majority, to reconsider the agency’s current aggressive approach on “unfairness” as applied to data security.

Newly Established Cybersecurity Requirements and Guidelines

A number of U.S. states and standard-setting organizations issued broadly applicable cybersecurity requirements and guidelines in 2016.  In February, as part of the release of its 2016 Data Breach Report, the Office of the Attorney General for California established a de facto standard that companies doing business in California must, at a minimum, adopt twenty specific security controls established by the Center for Internet Security in order to have “reasonable” security practices in California.  And New York State proposed first-in-the-nation cybersecurity regulations that contain several mandatory security requirements for financial services institutions—those institutions that are regulated by New York banking, insurance, or financial services laws—which are currently being revised following industry comments and are scheduled to take effect in March 2017.

At the federal level, in October, the Department of Defense (DoD) finalized its safeguarding and cyber incident reporting obligations, requiring DoD contractors to implement specific security controls for information systems that store, process, or transmit DoD’s data and to report actual or possible cybersecurity incidents involving such data to DoD within 72 hours.  And in the coming year, similar security controls and reporting requirements will likely be required for all government contractors, as a September rule promulgated by the National Archives and Record Administration (NARA) set the stage for a Federal Acquisition Regulation (FAR) clause that will likely mirror DoD’s requirements.  In November, the National Institute of Standards and Technology (NIST) released guidance for small businesses on cybersecurity preparedness, including a list of “recommended practices” that are applicable not just to small businesses, but entities of all sizes.

New Cybersecurity and Privacy Laws and Regulations in China

As expected, authorities in China were active in passing a new Cybersecurity Law and proposing new cybersecurity and privacy regulations in 2016.  In November, the Standing Committee of China’s National People’s Congress passed China’s first Cybersecurity Law (the “Law”), which will take effect starting June 1, 2017.  Described as China’s “fundamental law” in the area of cybersecurity, the new Law articulates the government’s priorities with respect to “cyberspace sovereignty,” consolidates existing network security-related requirements (covering both cyber and physical aspects of networks), and grants government agencies greater power to regulate cyber activities.  It is the first Chinese law that systematically lays out the regulatory requirements on cybersecurity, subjecting many previously under-regulated or unregulated activities in cyberspace to government scrutiny.  At the same time, it seeks to balance the dual goals of enhancing cybersecurity and developing China’s digital economy, which relies heavily on the free flow of data.

China’s National Information Security Standardization Technical Committee (NISSTC) drafted a Personal Information Security Standard, a non-binding standard for data privacy and security practices of companies operating in China.  The NISSTC also released seven draft standards for comment in December, with a public comment period running until February 2, 2017.  The Cyberspace Administration of China (CAC) has also been active in 2016, issuing new rules for mobile apps in July, and draft regulations aimed at protecting minors in cyberspace in October. Finally, in August China’s State Administration of Industry and Commerce (SAIC) released draft regulations for public comment that would amend consumer protection laws to, among other things, supplement existing privacy obligations for companies operating in China.

FCC Releases Broadband Privacy Rules

The FCC’s increasing focus on privacy issues continued in 2016 with the release of broadband privacy rules.  The new rules, which were formally proposed in April, regulate the privacy practices of broadband Internet Service Providers (ISPs), including requirements to obtain consent for certain uses of consumer data and to adhere to certain data security practices.   The rules were adopted by the Commission in a 3-2 party-line vote in October, so their fate is quite uncertain under the incoming Republican administration.  Given that petitions for reconsideration currently are pending before the FCC and will remain so until the change in Administration, these rules could be one of the first areas in which the new FCC makes its mark on the policies of the Obama-era Commission.

Connected Devices and The Internet of Things

2016 saw several developments relating to the Internet of Things (IoT), such as internet-connected refrigerators and thermostats, which present unique opportunities and challenges from a privacy and cybersecurity perspective.  In April, the U.S. Department of Commerce issued a request for public comment on the benefits, challenges, and potential government roles for IoT, and the U.S. Senate Commerce Committee approved a bill (which remains pending) to establish a working group to study and facilitate IoT growth.  Around the same time, the European Commission released a series of industry-related initiatives addressing IoT, among other things.  And in November, NIST released cybersecurity guidance for IoT, and the Broadband Internet Technical Advisory Group released another report detailing the unique security and privacy challenges posed by IoT.  In 2017, we expect the focus on connected devices to escalate, particularly given the emergence of driverless cars and other innovative technologies.

Russia v. USA: Geo Political Cyber Warfare And Your Business

Cyber warfare, Russian Flag HackThe cyber war battlefield has expanded, and your business is now a fighter and a target.

A new U.S. Government report explains many reasons for identifying and penalizing Russian hackers, the Russian intelligence services, and the Russian leadership in response to hacks on U.S. government, political and business targets. The report contains detailed information that organizations can use to determine if the Russians have accessed their systems, plus a detailed list of prudent steps and best practices that all organizations should consider as part of their cyber security efforts.

The overarching message of the report is that the DNC hack was not an isolated incident but part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information.

The report is best understood as a call to arms for U.S. private sector and government entities to strengthen their vigilance and defenses against Russian Intelligence Services and join DHS and FBI in their effort to counter them. Many organizations believe that because they hold no state secrets, defense-related intellectual property, or sensitive information on government employees, they have no stake in geopolitical cyber security. DHS and the FBI are saying that this is not true. The national interest in cyber security is materially weakened whenever organizations with credibility and standing allow their domains to be breached and used conduits for cyber-attacks on others –as happened in the DNC breach. Furthermore, data collected from breaches of non-traditional targets is often used to create the highly-targeted and highly credible email packages for use in spear phishing campaigns against more traditional targets. Geopolitical cyber security is being “democratized” with wide ranging potential public policy implications.

On December 29, 2016, the United States Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) jointly identified the Russian civilian and military intelligence services (RIS) as responsible for the 2015-2016 hack of the Democratic National Committee and its leadership. (In a nod to investigatory confidentiality, the joint DHS/FBI report refers to the targets only as a “U.S. political party,” and “multiple senior party members.”) The U.S. government has given the RIS effort the rather unartfully chosen name of “GRIZZLY STEPPE.”1

The joint DHS/FBI report provides the most detailed public discussion to date by U.S. law enforcement and cyber security agencies of the means and methods used in a foreign government-sponsored cyber-attack against U.S. interests. In October 2016, DHS and the Director of National Intelligence had reported that they were “confident” that RIS was behind the DNC attack. But this is the first time that a DHS/FBI joint report had formally assigned culpability for a specific cyber-attack to a specific nation. It is also the first time that specific operational groups within a foreign cyber directorate have been singled out and their identifying practices, approaches and tools have been publically discussed.

The report links these operations by RIS to damaging or disruptive cyber-attacks committed in recent years on foreign interests.2 The report does not mention these attacks by name but apparently is referencing recent cyber-attacks on the Ukrainian electrical grid, banking system and other infrastructure,3 and on Estonian governmental and quasi-governmental entities. All of these cyber-attacks have been widely attributed to the Russian government, which denies that attribution.

As part of its call to arm, the DHS/FBI report provides “technical details regarding the tools and infrastructure” being used by the RIS “to compromise and exploit networks and endpoints associated with a range of U.S. Government, political and private sector entities.

The report shows how groups working within RIS have been able to plant command and control infrastructure within the servers and domains of U.S. organizations and educational institutions –infrastructure they used to send phishing emails to potential victims and to serve as a pipeline to receive and retransmit stolen data once a breach was established. The report infers that the Russians were able to camouflage their actions by routing this malicious internet traffic through otherwise known and legitimate –perhaps even well-respected— private and educational organizations.

In the report, DHS and the FBI provides “technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to these the indicators provided and information on how to report such incidents to the U.S. Government.” The technical indicators include the specific software fingerprints (Yara signatures) for the malware planted by RIS, and the specific IP addresses, URLs and file hashes that the RIS operatives have used in their attacks on U.S. computer systems.

DHS and the FBI call on the private sector and others to put this information to immediate use to identify and remediate on-going RIS breaches and to limit future vulnerabilities. It is likely that other private and governmental entities are subject to active and breaches by the RIS, and may be serving as infrastructure for on-going RIS attacks on others. To this end, the report recommends that network administrators “review the IP addresses, file hashes, and Yara signatures provided and add the IP addresses to their watchlists” to determine whether malicious activity is taking place in their systems today.

The DHS/FBI report cautions that some of the traffic crossing network perimeters or firewalls and reflecting the suspicious IP addresses and other identifying information may prove to be legitimate. Conversely, some traffic that appears legitimate may involve RIS or others scanning public-facing servers (e.g., HTTP, HTTPS, FTP) to identify websites that are vulnerable cross-site scripting (XSS) or Structured Query Language (SQL) injection attacks. This scanning can be the precursor to exploitation of the vulnerabilities found.

The FBI and DHS cannot impose direct legal consequences on private sector and governmental entities who fail to act on this information. But scenarios can be envisioned where the failure to do so could be considered a failure to provide the minimum levels of data protection that are may be required by the multiple statutory, regulatory and common law constructs under which businesses operate today. Womble Carlyle advises its clients to evaluate the DHS/FBI report carefully, and to document and the actions and decisions taken response to it for future reference.

As to the specific DNC attack, the report concludes that two separate groups within RIS breached the DNC computer system. These teams used different techniques and malware exploits and the report does not show direct coordination between the breaches. The report designates the two RIS hacking groups as APT (Advanced Persistent Threat) 28 and APT 29.

(An advanced persistent threat actor or APT is a hacker or team of hackers whose sophisticated methods, choice of targets, and the determination to breach those specific targets set them apart from even the most accomplished global cybercriminals. APTs are generally assumed to be associated with nation states and other political actors.)

The report indicates that the initial breach of the DNC computer resulted from a 2015 spear phishing campaign in which APT29 sent “out emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims.” But even before this, APT29 had breached a number of “legitimate [internet] domains, to include domains associated with U.S. organizations and educational institutions.” Through these earlier breaches, APT29 had set up operational infrastructure (i.e., false user and email accounts) within the computer domains of these legitimate organizations. These accounts allowed APT29 to send spear phishing emails to its victims from legitimate organizations, possibly organizations known to and respected by the potential victims, albeit from unauthorized and fraudulent email accounts hosted there.

Links in the spear phishing emails directed the victims to web pages created by APT29 and hosted, once again, on the domains of these otherwise legitimate organizations. The pages included malware droppers which downloaded malicious software on the targets’ computer system when the victims’ clicked on the links.

At least one targeted individual, apparently a “U.S. Government victim,” activated the malicious link from a computer on the DNC’s system. The downloaded malware granted APT29 remote access to that individual’s computer which the group then used to obtain control over the computer’s operating systems (PowerShell commands). The group established “persistence” in the form of difficult to detect “back doors” allowing its members to come and go on the system at will. They “escalated privileges” harvesting credentials that allowed them wider and wider access to the data on the DNC’s system. They created their own user accounts on the DNC domains to receive, encrypt and exfiltrate (steal) data. They conducted surveillance and began exporting data using encrypted connections.

Operational infrastructure unwittingly hosted on legitimate sites formed the pipeline for breaching the DNC and transmitting the stolen data to Russia. This made the malicious nature of the transfers harder to detect.

A second breach occurred in the spring of 2016 when a separate RIS group, APT28, hacked the DNC using a different spear phishing technique. DHS and the FBI report that APT28’s established modus operandi is to “leverage[e] domains that closely mimic those of targeted organizations.” This can mean, for example, substituting www.yourcompany.co or www.youcompany.com for www.yourcompany.com. Spear phishing emails can be sent that spoof an email from the targets’ IT department or other leadership. The email instructs the targets to confirm or update their passwords using a link provided. The link is to a fraudulent web page on an unwitting host’s system. If the targets click on the link and enter passwords as instructed, their credentials are immediately transmitted to the hacker who uses them to gain access to the computer and begin uploading malware and conducting exploits.

APT28’s approach appears to gained access to the email accounts of “multiple senior party members” at the DNC. The report indicates that the 19,000 emails and other documents posted on WikiLeaks on the eve of the Democratic National Convention were harvested by APT28.

Other reports indicate that it was APT28’s attempts to breach the DNC’s computers in the spring of 2016 that led to DNC to retain cybersecurity consultants to look for a potential breach. Apparently, by the time remedial action could be taken the damage had been done. It also seems that the investigation into the APT28 cyber-attack lead to the discovery of the older, on-going APT29 breach, which may explain the fact that the team responsible for the older breach was assigned the higher reference number.

The DHS/FBI report does not say which “U.S. organizations and educational institutions” were the unwitting hosts to the RIS’s activities. But it is very reasonable to assume that sometime in the summer of 2016, a legitimate and undoubtedly respected U.S. organization or educational institution received a call from the FBI telling them that their lax cyber security policies materially contributed to what the U.S. government is now reporting to be a deliberate attempt by Russia to subvert the U.S. political process. Other organizations may be in a similar situation today, with RIS actively using their infrastructure to carry out cyber-attacks on other U.S. interests.

Would an organization become civilly liable, if absent good reasons, it were to ignore the tools and recommendations cited in this report and then becomes (or continues to be used as) the conduit for future data breaches that injure others? The law on this point is in its infancy. The answer will only come when courts resolve claims by specific plaintiffs seek against specific defendants in future lawsuits. But the process for creating future precedents on these matters will likely be slow, embarrassing and expensive for the defendants involved. And the resulting reputational black-eye may represent the greatest cost of all.

ARTICLE BY Belton T. Zeigler & Theodore F. Claypoole of Womble Carlyle Sandridge & Rice, PLLC

Copyright © 2016 Womble Carlyle Sandridge & Rice, PLLC. All Rights Reserved.

1 Would a second such cyber-attack become the “GRIZZLY TWO-STEPPE” or simply “DANCING BEAR?”

2 http://www.wsj.com/articles/behind-russias-cyber-strategy-1483140188

3 http://www.wsj.com/articles/cyber-experts-cite-link-between-dnc-hacks-an…